~ Strathmore University Centre for Intellectual Property and Information Technology Law (CIPIT)

Is Kenya Ready for Unique Identifiers? Part I

It is reported that some 1.6 million students have registered to sit for the Kenya Certificate of Primary Education (KCPE) and Kenya Certificate of Secondary Education (KCSE) examinations in October 2017. As always, preparations for these examinations involves stringent security measures to curb cheating. Beyond cheating, forgery of academic degree certificates and other official documents is also on the rise. To fight this vice, the government has put various measures in place, the latest being introducing a six- character Unique Personal Identifier (UPI). This UPI will be linked to an electronic database with the educational records of all individuals from primary school up to university level. Other than blocking exam cheats and fake certificate fraudsters, the UPI will also be used to curb the theft of public funds by eliminating ‘ghost’ teachers and inflated student enrollment figures.

This UPI program has been introduced under the National Education Sector Plan (NESP) Volume Two: Operational Plan 2013 – 2018 that was published in the year 2015. The Kenya National Education Management Information System (NEMIS) goal is to be a viable system of authentic sector-wide information management based on IT databases that compile, collate and report on relevant information at all levels of the education system. The primary purpose of NEMIS is to support the implementation of NESP and all education sector operational activities of the ministry, Teachers Service Commission and other relevant agencies. This will be done by providing timely and accurate information for strategic planning, policy development and analysis, teacher work force management and operational management.

That said, the Education Cabinet Secretary Fred Matiang’i has described UPI as “the single source of truth for information” as it will consolidate data from all the Ministry of Education institutions. The identifier will take the form ‘AAA-BBB’ and it will be used at every level of education. It will enable interested parties to track the academic progress and qualifications of all persons, which will effectively deal a blow to cheats who resort to bogus academic papers.

While the move is laudable, the use of unique identifiers raises concerns on how the personal information collected will be protected. Article 31 of the Constitution states that every person has the right to privacy, which includes the right not to have information relating to their private affairs unnecessarily required or revealed. This means that the Ministry of Education, which is taking up a data processor role; has a duty to protect all the information that they will collect. Is the ministry ready for this? We surely don’t know but we know that the program is supposed to implemented from September 2017 and Kenya doesn’t have a data protection law, yet.

India too. The nation has implemented a unique identifier project despite lacking a law on how data should be managed. From the experience of India, Kenya can learn how to handle big data and leaks in the event it happens. Other lessons that can be learnt are how ‘the single source of truth’ can be compromised.

To beat exam cheats, biometric information of candidates are registered by the examination body. This security measure was still defeated by candidates who hired professional to sit the exam on their behalf. To cheat the biometric identification scanners, the ‘academic mercenaries’ had artificial thumb impressions of their clients. In July 2, the Sashastra Seema Bal (SSB) busted a gang of cheats who were impersonating applicants for a constable recruitment examination at the Patna Centre, New Delhi. Other than cheating, there have been cases of personal data leaks which have raised questions on the preparedness of the nation in matters to do with data protection.